Re: [sipcore] Resend: WGLC: draft-ietf-sipcore-digest-scheme

[worley@ariadne.com (Dale R. Worley)]

Looking into this issue:

> > 2) There is discussion "The IANA registry ... specifies the algorithms
> > .... and specifies a priority for each algorithm."  But I cannot find the
> > word
> > priority in the registry, nor in the sole reference in the registry, RFC
> > 7616.  Can you update this to point to whatever defines the priority?
> >
> >
> It is specified in section 3.7:
> https://tools.ietf.org/html/rfc7616#section-3.7
> 
> But I think the wording in the draft is confusing; I will try to clarify
> that.

Looking at section 2.1 of draft-ietf-sipcore-digest-scheme-02, it reads

   2.1.  Hash Algorithms

   The Digest scheme has an 'algorithm' parameter that specifies the
   algorithm to be used to compute the digest of the response.  The IANA
   registry named "HTTP Digest Hash Algorithms" specifies the algorithms
   that correspond to 'algorithm' values, and specifies a priority for
   each algorithm.

   [RFC3261] specifies only one algorithm, MD5, which is used by
   default.  This document extends [RFC3261] to allow use of any
   registered algorithm.

   The priority of the algorithm defines its usage preference.  UAs
   SHOULD prefer algorithms with higher priorities.

   Note that [RFC7616] defines a -sess variant for each algorithm; the
   -sess variants are not used with SIP.

A nit is that the registry is named "Hash Algorithms for HTTP Digest
Authentication".

RFC 7616 is not referenced here as establishing the priorities, but
rather the IANA registry is referenced.  The critical text is from RFC
7616, which establishes the preference ordering of algorithms not
globally, but based on the authentication challenge in a particular
challenge/response transaction:

   The server MUST
   add these challenges to the response in order of preference, starting
   with the most preferred algorithm, followed by the less preferred
   algorithm.
   [...]
   When the client receives the first challenge, it SHOULD use the first
   challenge it supports, unless a local policy dictates otherwise.

This suggests the wording could be improved along thse lines (changes
marked with "|"):

   2.1.  Hash Algorithms

   The Digest scheme has an 'algorithm' parameter that specifies the
   algorithm to be used to compute the digest of the response.  The IANA
 | registry named "Hash Algorithms for HTTP Digest Authentication"
 | specifies the algorithms
 | that correspond to 'algorithm' values.

   [RFC3261] specifies only one algorithm, MD5, which is used by
   default.  This document extends [RFC3261] to allow use of any
   registered algorithm.

 | [RFC7616] specifies the usage preference when a response
 | contains multiple challenges specifying different algorithms.  That
 | specification is not changed by this document.

   Note that [RFC7616] defines a -sess variant for each algorithm; the
   -sess variants are not used with SIP.

And there is this issue:

> 1) When is the binding time of "the contents of the Hash Algorithms for
> HTTP Digest Authentication registry"?  That is, if a new algorithm is
> added to the registry, does it automatically become authorized for use
> in SIP?
>
> My impression is that the answer is Yes.

Perhaps I am being too fussy about this issue.  But I would like to
ensure that nobody mistakes the intention of this document.  I think
the following two wording changes would be more than enough to avoid
any problems:

   1.  Introduction

   This document updates the Digest Access Authentication scheme used by
   SIP to support the list of digest algorithms defined in the "Hash
 | Algorithms for HTTP Digest Authentication" registry (defined by
 | [RFC7616]) as it is updated from time to time.

   2.1.  Hash Algorithms

   [RFC3261] specifies only one algorithm, MD5, which is used by
   default.  This document extends [RFC3261] to allow use of any
 | algorithm that is registered at the time of use.

Dale